How Gradm protects its own password ?

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

How Gradm protects its own password ?

Postby evilangel » Thu Nov 06, 2008 10:34 am

Hi all,

After setting up the admin password with gradm:
gradm -P
the file /etc/grsec/pw is generated.
However, this file is readable by root.

Finally, how gradm protects its own secret against corruption ?

Thanks
evilangel
 
Posts: 59
Joined: Thu May 15, 2008 7:57 pm
Location: France

Re: How Gradm protects its own password ?

Postby spender » Fri Nov 07, 2008 8:24 pm

With the RBAC system disabled, you have more to worry about than just the /etc/grsec/pw file being readable as root.
When the RBAC system is enabled, however, here are just a few of the ways:
The /etc/grsec/pw file is protected by default when the RBAC system is enabled through enforced policy rules (you won't be able to load a policy if a default subject is able to read /etc/grsec/pw).
Even gradm itself when the RBAC system is enabled is disallowed from accessing anything in /etc/grsec.
Password entry attempts are rate limited and denials are logged.
Modifications to /etc/grsec/pw even by an admin role while the RBAC system is enabled don't affect the current password set that exists in kernel memory.
Checks are made for terminal sniffers before any password prompt is given.
No process started by anyone else logged in as you will be able to ptrace your processes.
/root is enforced to be non-writable by default subjects as well, to prevent tampering with shell configuration (modification of your PATH, etc).

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA

Re: How Gradm protects its own password ?

Postby evilangel » Sun Nov 09, 2008 5:24 pm

Thanks for these precious information.
evilangel
 
Posts: 59
Joined: Thu May 15, 2008 7:57 pm
Location: France

Re: How Gradm protects its own password ?

Postby spender » Mon Nov 10, 2008 9:59 am

I should also add the learning mode of the RBAC system will automatically generate policies that keep files in /etc/grsec protected from reading or modification.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Location: VA, USA


Return to RBAC policy development

cron